Cross-site scripting vulnerability in Webaccess.

  • 10098301
  • NOVL102768
  • 15-Jul-2005
  • 27-Jul-2005

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

Novell GroupWise 6.5

Symptom

Cross-site scripting vulnerability in Webaccess.

CAN-2005-2276

An outside security researcher reported a cross-site scripting vulnerability in GroupWise Webaccess.  In certain circumstances, it was possible for a specifically-crafted malicious email to execute javascript code within the user's browser.

Fix

This has been fixed in any build of GroupWise 6.5 webaccess dated after July 11, 2005.  This fix will also be included in GroupWise 6.5 SP5.

Field test files for GroupWise 6.5 are available here:  https://support.novell.com/filefinder/16963/beta.html

Note

Novell acknowledges Francisco Amato for discovering this vulnerability and working with Novell to get it fixed.